Wildcard SSL certificates have risen in popularity because organizations use them to save money and because they can be more convenient to use. But time and money savings may not always live up to all they promise and often come at a cost (and it’s not just about security). What are wildcard certificates? As Nick Hunter, senior technical manager for Venafi, wrote in a recent blog post: “A wildcard certificate is a public key certificate used by all subdomains within a larger domain. Using a wildcard certificate on a publicly facing webserver, you can quickly secure unlimited subdomains that are all encrypted by the same certificate. Unfortunately, so can cybercriminals.”
I’ve mentioned in a previous blogthat SSL/TLS wildcard certificates are inherently less secure because of their broad usage across domains. They may be easy to use, but they also open the door to an increased risk of phishing attacks, exposure to certificate expiry-based outages, and ongoing certificate management challenges that may not surface until it’s too late.
Ease of management is often a reason why organizations start to use wildcard certificates, yet this may also become a reason why they stop using these certificates. Let’s explain why. Managing wildcard certificates becomes especially challenging when a single certificate is being used across many websites or critical business infrastructure.
Walter Goulet, product manager for Venafi, explains, “when a wildcard certificate is deployed widely, there is an inability to schedule expiration rates around high traffic usage periods of business-critical infrastructure. As a result, when that wildcard certificate nears expiration you need to coordinate renewal and installation on all systems that are using that certificate at the same time, or at least start the renewal and replacement process well before the certificate expires which reduces the effective lifetime of the wildcard certificate.
In healthcare, for example, organizations often have a no-touch policy on infrastructure that supports open enrollment for a period of two to three months. This concept also applies to retail organizations like Walmart and Target who have IT blackout periods around Black Friday and the holidays. Unfortunately, with wildcard certificates, when you have one certificate that is used to secure a large number of applications and services, management becomes a real nightmare and critical infrastructure may need to be maintained during no-touch periods putting your business at risk of disruption.”
If you are looking to improve your security posture by replacing your wildcard certificates or need help finding where your wildcard certificates are installed, Venafi has developed a cloud-based solution that can help you.
Venafi Cloud helps you find your wildcard certificates, see where they are installed and replace them.
If you aren’t sure what to replace your wildcard certificate with, we’ve got a few recommendations. There are two main types of certificates we recommend replacing your wildcard certificates with to improve security.
First, the most secure thing to do is to have a single certificate associated with a domain since if that certificate is compromised, the resulting exposure will be limited to only one domain.
The second option is to use a Subject Alternative Name (SANs) certificate for those customers that are using load balancers that are serving multiple websites from the same infrastructure. With a SANs certificate you can associate it with multiple sub-domains, e.g. mail.example.com, outlook.example.com, and firewall.example.com.
At Venafi, we want to help solve the underlying issues that might cause you to use wildcard certificates by making it easy for you to get and deploy certificates. We believe that automation is the future for certificates and the more intelligence you build into the process, the less value a wildcard certificate offers. Take the first step in identifying your wildcard certificate exposure with our certificate discovery capabilities and start easing the hidden costs of wildcard certificate management.